Overview - Yara rules

Details Type #Events CTI Value
Details Yara rule 1
rule MTI_Hunting_INDUSTROYERv2_Bytes {
	meta:
		author = "Mandiant"
		date = "04-09-2022"
		description = "Searching for executables containing bytecode associated with the INDUSTROYER.V2 malware family."
	strings:
		$bytes = { 8B [2] 89 [2] 8B 0D [4] 89 [2] 8B 15 [4] 89 [2] A1 [4] 89 [2] 8B 0D [4] 89 [2] 8A 15 [4] 88 [2] 8D [2] 5? 8B [2] E8 }
	condition:
		filesize < 3MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $bytes
}
Details Yara rule 1
rule MTI_Hunting_INDUSTROYERv2_Strings {
	meta:
		author = "Mandiant"
		date = "04-09-2022"
		description = "Searching for executables containing strings associated with the INDUSTROYER.V2 malware family."
	strings:
		$a1 = "M%X - d:d:d" ascii wide nocase
		$a2 = "hu:hu:hu:hu" ascii wide nocase
		$a3 = "%s M%X " ascii wide nocase
		$a4 = "%s: %d: %d" ascii wide nocase
		$a5 = "%s M%X %d (%s)" ascii wide nocase
		$a6 = "%s M%X SGCNT %d" ascii wide nocase
		$a7 = "%s ST%X %d" ascii wide nocase
		$a8 = "Current operation : %s" ascii wide nocase
		$a9 = "Sent=x%X | Received=x%X" ascii wide nocase
		$a10 = "ASDU:%u | OA:%u | IOA:%u | " ascii wide nocase
		$a11 = "Cause: %s (x%X) | Telegram type: %s (x%X" ascii wide nocase
		$b1 = "Length:%u bytes | " ascii wide nocase
		$b2 = "Unknown APDU format !!!" ascii wide nocase
		$b3 = "MSTR ->> SLV" ascii wide nocase
		$b4 = "MSTR <<- SLV" ascii wide nocase
	condition:
		filesize < 3MB and uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (1 of ($a*) and 1 of ($b*))
}
Details Yara rule 1
rule lnk_wiped {
	meta:
		author = "gvenere"
		description = "LNK with wiped metadata"
	strings:
		$lnk_magic = { 4C 00 00 00 }
		$ext1 = ".js"
		$ext2 = ".bat"
		$ext3 = ".cmd"
	condition:
		$lnk_magic at 0x0 and uint16(0x1c) == 0x0 and uint16(0x24) == 0x0 and uint16(0x2c) == 0x0 and (any of ($ext*) in (0xa0 .. 0x100))
}
Details Yara rule 1
rule TRITON_ICS_FRAMEWORK {
	meta:
		author = "nicholas.carr @itsreallynick"
		md5 = "0face841f7b2953e7c29c064d6886523"
		description = "TRITON framework recovered during Mandiant ICS incident response"
	strings:
		$python_compiled = ".pyc" ascii wide nocase
		$python_module_01 = "__module__" ascii wide nocase
		$python_module_02 = "<module>" ascii wide nocase
		$python_script_01 = "import Ts" ascii wide nocase
		$python_script_02 = "def ts_" ascii wide nocase
		$py_cnames_01 = "TS_cnames.py" ascii wide nocase
		$py_cnames_02 = "TRICON" ascii wide nocase
		$py_cnames_03 = "TriStation " ascii wide nocase
		$py_cnames_04 = " chassis " ascii wide nocase
		$py_tslibs_01 = "GetCpStatus" ascii wide nocase
		$py_tslibs_02 = "ts_" ascii wide
		$py_tslibs_03 = " sequence" ascii wide nocase
		$py_tslibs_04 = /import Ts(Hi|Low|Base)/ ascii wide nocase
		$py_tslibs_05 = /module\s?version/ ascii wide nocase
		$py_tslibs_06 = "bad " ascii wide nocase
		$py_tslibs_07 = "prog_cnt" ascii wide nocase
		$py_tsbase_01 = "TsBase.py" ascii wide nocase
		$py_tsbase_02 = ".TsBase(" ascii wide nocase
		$py_tshi_01 = "TsHi.py" ascii wide nocase
		$py_tshi_02 = "keystate" ascii wide nocase
		$py_tshi_03 = "GetProjectInfo" ascii wide nocase
		$py_tshi_04 = "GetProgramTable" ascii wide nocase
		$py_tshi_05 = "SafeAppendProgramMod" ascii wide nocase
		$py_tshi_06 = ".TsHi(" ascii wide nocase
		$py_tslow_01 = "TsLow.py" ascii wide nocase
		$py_tslow_02 = "print_last_error" ascii wide nocase
		$py_tslow_03 = ".TsLow(" ascii wide nocase
		$py_tslow_04 = "tcm_" ascii wide
		$py_tslow_05 = " TCM found" ascii wide nocase
		$py_crc_01 = "crc.pyc" ascii wide nocase
		$py_crc_02 = "CRC16_MODBUS" ascii wide
		$py_crc_03 = "Kotov Alaxander" ascii wide nocase
		$py_crc_04 = "CRC_CCITT_XMODEM" ascii wide
		$py_crc_05 = "crc16ret" ascii wide
		$py_crc_06 = "CRC16_CCITT_x1D0F" ascii wide
		$py_crc_07 = /CRC16_CCITT[^_]/ ascii wide
		$py_sh_01 = "sh.pyc" ascii wide nocase
		$py_keyword_01 = " FAILURE" ascii wide
		$py_keyword_02 = "symbol table" ascii wide nocase
		$py_TRIDENT_01 = "inject.bin" ascii wide nocase
		$py_TRIDENT_02 = "imain.bin" ascii wide nocase
	condition:
		2 of ($python_*) and 7 of ($py_*) and filesize < 3MB
}
Details Yara rule 1
rule SpicyHotPot_wdlogin {
	meta:
		description = "SpicyHotPot - wdlogin.exe: Used to identify memory dump uploading component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "7c0fdee3670cc53a22844d691307570a21ae3be3ce4b66e46bb6d9baad1774b8"
	strings:
		$x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wdlogin.pdb" ascii fullword
		$x2 = "kmdf_protect.sys" ascii fullword
		$x3 = "kmdf_look.sys" ascii fullword
		$x4 = "/api/v1/post_dump" ascii fullword
		$s1 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s2 = "https://db.testyk.com" ascii fullword
		$s3 = "https://da.testiu.com" ascii fullword
		$s4 = "https://du.testjj.com" ascii fullword
		$s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s6 = "No more connections allowed to host %s: %zu" ascii fullword
		$s7 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
		$s8 = "Content-Disposition: %s%s%s%s%s%s%s" ascii fullword
		$s9 = "dumping" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) and 3 of ($s*)
}
Details Yara rule 1
rule SpicyHotPot__J861 {
	meta:
		description = "SpicyHotPot - _J861.exe: Used to identify system fingerprinting, enumeration and networking component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc"
	strings:
		$x1 = "E:\\work\\Icon_Report\\Release\\_service.pdb" ascii fullword
		$x2 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
		$x3 = "https://du.testjj.com/api/v1/id" ascii fullword
		$s1 = "SEC_E_ILLEGAL_MESSAGE (0xX)"
		$s2 = "Failed reading the chunked-encoded stream" ascii fullword
		$s3 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s4 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s5 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s6 = "failed to load WS2_32.DLL (%u)" ascii fullword
		$s7 = "/c ping -n 3 127.1 >nul & del /q %s" ascii fullword
		$s8 = "No more connections allowed to host %s: %zu" ascii fullword
		$s9 = "%d ReadPhysicalDriveInNTUsingSmart ERROR DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d" ascii fullword
		$s10 = "%d ReadPhysicalDriveInNTWithAdminRights ERROR DeviceIoControl() %d, DFP_GET_VERSION) returned 0, error is %d" ascii fullword
		$s11 = "Content-Disposition: %s%s%s%s%s%s%s" ascii fullword
		$s12 = "Content-Type: %s%s%s" ascii fullword
		$s13 = "SOCKS4%s: connecting to HTTP proxy %s port %d" ascii fullword
		$s14 = "No valid port number in connect to host string (%s)" ascii fullword
		$s15 = "Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 3000KB and 2 of ($x*) and 8 of ($s*)
}
Details Yara rule 1
rule apt_nazar_svchost_commands {
	meta:
		description = "Detect Nazar's svchost based on supported commands"
		author = "Itay Cohen"
		date = "2020-04-26"
		reference = "<https://www.epicturla.com/blog/the-lost-nazar>"
		hash = "2fe9b76496a9480273357b6d35c012809bfa3ae8976813a7f5f4959402e3fbb6"
		hash = "be624acab7dfe6282bbb32b41b10a98b6189ab3a8d9520e7447214a7e5c27728"
	strings:
		$str1 = { 33 31 34 00 36 36 36 00 33 31 33 00 }
		$str2 = { 33 31 32 00 33 31 35 00 35 35 35 00 }
		$str3 = { 39 39 39 00 35 39 39 00 34 39 39 00 }
		$str4 = { 32 30 39 00 32 30 31 00 32 30 30 00 }
		$str5 = { 31 39 39 00 31 31 39 00 31 38 39 00 31 33 39 00 33 31 31 00 }
	condition:
		4 of them
}
Details Yara rule 1
rule Windows_Trojan_Blister {
	meta:
		author = "Elastic Security"
		creation_date = "2023-08-02"
		last_modified = "2023-08-08"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Blister"
		threat_name = "Windows.Trojan.Blister"
		license = "Elastic License v2"
	strings:
		$b_loader_xor = { 48 8B C3 49 03 DC 83 E0 03 8A 44 05 48 [2-3] ?? 03 ?? 4D 2B ?? 75 }
		$b_loader_virtual_protect = { 48 8D 45 50 41 ?? ?? ?? ?? 00 4C 8D ?? 04 4C 89 ?? ?? 41 B9 04 00 00 00 4C 89 ?? F0 4C 8D 45 58 48 89 44 24 20 48 8D 55 F0 }
	condition:
		all of them
}
Details Yara rule 1
rule Windows_Trojan_Netwire_1 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a = { 0F B6 74 0C 10 89 CF 29 C7 F7 C6 DF 00 00 00 74 09 41 89 F3 88 5C }
	condition:
		all of them
}
Details Yara rule 1
rule Windows_Trojan_Netwire_2 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a1 = "[%.2d/%.2d/%d %.2d:%.2d:%.2d]" fullword
		$a2 = "\\Login Data"
		$a3 = "SOFTWARE\\NetWire" fullword
	condition:
		2 of them
}
Details Yara rule 1
rule Windows_Trojan_Netwire_3 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a = { C9 0F 44 C8 D0 EB 8A 44 24 12 0F B7 C9 75 D1 32 C0 B3 01 8B CE 88 44 }
	condition:
		all of them
}
Details Yara rule 1
rule Windows_Trojan_Netwire_4 {
	meta:
		author = "Elastic Security"
		os = "Windows"
		arch = "x86"
		category_type = "Trojan"
		family = "Netwire"
		threat_name = "Windows.Trojan.Netwire"
	strings:
		$a1 = "http://%s%ComSpec" ascii fullword
		$a2 = "%c%.8x%s" ascii fullword
		$a3 = "%6\\6Z65dlNh\\YlS.dfd" ascii fullword
		$a4 = "GET %s HTTP/1.1" ascii fullword
		$a5 = "R-W65: %6:%S" ascii fullword
		$a6 = "PTLLjPq %6:%S -qq9/G.y" ascii fullword
	condition:
		4 of them
}
Details Yara rule 1
rule DEWMODE_PHP_Webshell {
	strings:
		$s1 = /if \(isset\(\$_REQUEST\[[\x22\x27]dwn[\x22\x27]]\)[\x09\x20]{0,32}&&[\x09\x20]{0,32}isset\(\$_REQUEST\[[\x22\x27]fn[\x22\x27]\]\)\)\s{0,256}\{/
		$s2 = "<th>file_id</th>"
		$s3 = "<th>path</th>"
		$s4 = "<th>file_name</th>"
		$s5 = "<th>uploaded_by</th>"
		$s6 = "target=\\\"_blank\\\">Download</a></td>"
		$s7 = "Content-Type: application/octet-stream"
		$s8 = "Content-disposition: attachment; filename="
	condition:
		all of them
}
Details Yara rule 1
rule SpicyHotPot_wuhost {
	meta:
		description = "SpicyHotPot - wuhost.exe: Used to identify rootkit and module updating component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "eb54cd2d61507b9e98712de99834437224b1cef31a81544a47d93e470b8613fc"
	strings:
		$x1 = "wdlogin.exe" ascii fullword
		$x2 = "UpdateTemp.exe" ascii fullword
		$x3 = "UpdateSelf.exe" ascii fullword
		$x4 = "wrme.exe" ascii fullword
		$x5 = "wccenter.exe" ascii fullword
		$x6 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wuhost.pdb" ascii fullword
		$x7 = "wuhost.exe" ascii fullword
		$s1 = "SEC_E_ILLEGAL_MESSAGE (0xX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More "
		$s2 = "Failed reading the chunked-encoded stream" ascii fullword
		$s3 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s4 = "https://db.testyk.com" ascii fullword
		$s5 = "https://da.testiu.com" ascii fullword
		$s6 = "https://du.testjj.com" ascii fullword
		$s7 = "dump_temp" ascii fullword
		$s8 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s9 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s10 = "failed to load WS2_32.DLL (%u)" ascii fullword
		$s11 = "No more connections allowed to host %s: %zu" ascii fullword
		$s12 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and 2 of ($x*) and 4 of them
}
Details Yara rule 1
import "hash"

rule simple_hash_rule {
	condition:
		hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
}
Details Yara rule 1
import "hash"

rule ccleaner_compromised_installer {
	condition:
		filesize == 9791816 and hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
}
Details Yara rule 1
rule SpicyHotPot_wrme {
	meta:
		description = "SpicyHotPot - wrme.exe: Used to identify module starting and reporting component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "7e489f1f72cac9f1c88bdc6be554c78b5a14197d63d1bae7e41de638e903af21"
	strings:
		$x1 = "DvUpdate.exe" ascii fullword
		$x2 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wrme.pdb" ascii fullword
		$x3 = "No more connections allowed to host %s: %zu" ascii fullword
		$s1 = "SEC_E_ILLEGAL_MESSAGE (0xX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More "
		$s2 = "Failed reading the chunked-encoded stream" ascii fullword
		$s3 = "Content-Type: %s%s%s" ascii fullword
		$s4 = "Excess found in a read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d" ascii fullword
		$s5 = "Negotiate: noauthpersist -> %d, header part: %s" ascii fullword
		$s6 = "https://db.testyk.com" ascii fullword
		$s7 = "https://da.testiu.com" ascii fullword
		$s8 = "https://du.testjj.com" ascii fullword
		$s9 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s10 = "schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names" ascii fullword
		$s11 = "failed to load WS2_32.DLL (%u)" ascii fullword
		$s12 = "Content-Disposition: %s%s%s%s%s%s%s" ascii fullword
		$s13 = "RESOLVE %s:%d is - old addresses discarded!" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 2000KB and 2 of ($x*) and 7 of ($s*)
}
Details Yara rule 1
rule SpicyHotPot_DvLayout {
	meta:
		description = "SpicyHotPot - DvLayout.exe: Used to identify rootkit installation component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "551c4564d5ff537572fd356fe96df7c45bf62de9351fae5bb4e6f81dcbe34ae5"
	strings:
		$x1 = "KMDF_LOOK.sys" ascii fullword
		$x2 = "KMDF_Protect.sys" ascii fullword
		$x3 = "StartService Error, errorode is : %d ." ascii fullword
		$x4 = "Software\\Microsoft\\%s\\st" wide fullword
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = "@api-ms-win-core-synch-l1-2-0.dll" wide fullword
		$s3 = "Genealogy.ini" wide fullword
		$s4 = "powercfg /h off" ascii fullword
		$s5 = " Type Descriptor'" ascii fullword
		$s6 = "find %s failed , errorcode : %d" ascii fullword
		$s7 = "find %s failed , errorcode : %d" ascii fullword
		$s8 = "Delete %s failed , errorcode : %d" wide fullword
		$s9 = "Delete %s failed , errorcode : %d" wide fullword
		$s10 = "OpenService failed , errorcode : %d" wide fullword
		$s11 = "&Beijing JoinHope Image Technology Ltd.1/0-" ascii fullword
		$s12 = "/c del /q %s" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 800KB and 1 of ($x*) and 5 of ($s*)
}
Details Yara rule 1
rule SpicyHotPot_wccenter {
	meta:
		description = "SpicyHotPot - wccenter.exe: Used to identify malware that communicates with the rootkit component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "17095beda4afeabb7f41ff07cf866ddc42e49da1a4ed64b9c279072caab354f6"
	strings:
		$x1 = "D:\\Work\\Install_Driver\\Driver_helper\\Release\\wccenter.pdb" ascii fullword
		$x2 = "wdlogin.exe" wide fullword
		$x3 = "wuhost.exe" wide fullword
		$x4 = "wrme.exe" wide fullword
		$s1 = "AppPolicyGetProcessTerminationMethod" ascii fullword
		$s2 = " Type Descriptor'" ascii fullword
		$s3 = "&Beijing JoinHope Image Technology Ltd.1/0-" ascii fullword
		$s4 = "operator co_await" ascii fullword
		$s5 = "&Beijing JoinHope Image Technology Ltd.0" ascii fullword
		$s6 = "RvVersion" wide fullword
		$s7 = " Class Hierarchy Descriptor'" ascii fullword
		$s8 = "Base Class Descriptor"
		$s9 = "Beijing1" ascii fullword
		$s10 = " Complete Object Locator'" ascii fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 400KB and 2 of ($x*) and 4 of ($s*)
}
Details Yara rule 1
rule SpicyHotPot_KMDF_LOOK {
	meta:
		description = "SpicyHotPot - KMDF_LOOK.sys: Used to identify browser hijacking component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "39764e887fd0b461d86c1be96018a4c2a670b1de90d05f86ed0acb357a683318"
	strings:
		$x1 = "G:\\SVN\\"
		$s1 = "TSWebDownLoadProtect.dll" wide fullword
		$s2 = "ShellIco.dll" wide fullword
		$s3 = "QMLogEx.dll" wide fullword
		$s4 = "SSOCommon.dll" wide fullword
		$s5 = "TsService.exe" ascii fullword
		$s6 = "Hookport.sys" wide fullword
		$s7 = "SafeWrapper32.dll" wide fullword
		$s8 = "safemon.dll" wide fullword
		$s9 = "iNetSafe.dll" wide fullword
		$s10 = "ieplus.dll" wide fullword
		$s11 = "wdui2.dll" wide fullword
		$s12 = "ExtBhoIEToSe.dll" wide fullword
		$s13 = "360NetBase.dll" wide fullword
		$s14 = "urlproc.dll" wide fullword
		$s15 = "360sdbho.dll" wide fullword
		$s16 = "360base.dll" wide fullword
		$s17 = "360UDiskGuard.dll" wide fullword
		$s18 = "TSClinicWebFix.dll" wide fullword
		$s19 = "QMEmKit.dll" wide fullword
		$s20 = "WdHPFileSafe.dll" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and 8 of them
}
Details Yara rule 1
rule SpicyHotPot_KMDF_Protect {
	meta:
		description = "SpicyHotPot - KMDF_Protect.sys: Used to identify driver protection and filtering component"
		author = "jai-minton"
		reference = "https://www.crowdstrike.com/blog/author/jai-minton/"
		copyright = "(c) 2020 CrowdStrike Inc."
		date = "2020-11-01"
		hash1 = "ab0418eb1863c8a2211d06c764f45884c9b7dbd6d1943137fc010b8f3b8d14ae"
	strings:
		$x1 = "wdlogin.exe" wide fullword
		$x2 = "\\Windows\\System32\\cmd.exe" wide fullword
		$x3 = "wuhost.exe" wide fullword
		$x4 = "wrme.exe" wide fullword
		$x5 = "UpdateSelf.exe" ascii fullword
		$x6 = "wccenter.exe" wide fullword
		$s1 = "jCloudScan.dll" wide fullword
		$s2 = "DSFScan.dll" wide fullword
		$s3 = "avescan.dll" wide fullword
		$s4 = "\\Cloudcom2.dll" wide fullword
		$s5 = "\\Cloudcom264.dll" wide fullword
		$s6 = "AVEIEngine.dll" wide fullword
		$s7 = "AVEI.dll" wide fullword
		$s8 = "BAPI.dll" wide fullword
		$s9 = "BAPI64.dll" wide fullword
		$s10 = "360Tray.exe" ascii fullword
		$s11 = "360Safe.exe" ascii fullword
		$s12 = "\\jCloudScan.dll" wide fullword
		$s13 = "\\deepscan64.dll" wide fullword
		$s14 = "\\deepscan.dll" wide fullword
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and 2 of ($x*) and 6 of ($s*)
}
Details Yara rule 2
rule cs_job_pipe {
	meta:
		description = "Detects CobaltStrike Post Exploitation Named Pipes"
		author = "Riccardo Ancarani & Jon Cave"
		date = "2020-10-04"
	strings:
		$pipe = /\\\\\.\\pipe\\[0-9a-f]{7,10}/ ascii wide fullword
		$guidPipe = /\\\\\.\\pipe\\[0-9a-f]{8}\-/ ascii wide
	condition:
		$pipe and not ($guidPipe)
}
Details Yara rule 1
rule halo_generated_a9b32fad32b4afb8cb3330c189fd7c87 : maldoc image {
	meta:
		tlp = "amber"
		author = "Halogen Generated Rule"
		date = "2020-11-18"
		md5 = "['28ab3d552d6f795378f9e6bb692c4f5f', 'afbdecbc6c7c5fc32ec922c2960b172b', '1c2b1d2d121683a9597ae8cf17763958', '7f7aad6745acc211a264bbc1350aed89', 'a9b32fad32b4afb8cb3330c189fd7c87']"
		family = "malware family"
		filename = "Directory: ../../scratchpad/use-cases/images/"
		scope = "['detection', 'collection']"
		intel = "['']"
	strings:
		$png_img_value_0 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 00 CD 00 00 00 3A 08 02 00 00 00 9C 49 4A 9F 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00 00 09 70 48 59 73 00 00 0E C4 00 00 0E C4 01 95 2B 0E 1B 00 00 20 12 49 44 41 54 78 5E ED 9D 07 5C 95 D5 1B C7 7D }
		$png_img_value_1 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 00 18 00 00 00 18 08 02 00 00 00 6F 15 AA AF 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00 00 09 70 48 59 73 00 00 0E C4 00 00 0E C4 01 95 2B 0E 1B 00 00 01 D2 49 44 41 54 38 4F 63 FC FF FF FF B7 EF BF E6 }
		$png_img_value_2 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 00 18 00 00 00 18 08 02 00 00 00 6F 15 AA AF 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00 00 09 70 48 59 73 00 00 0E C4 00 00 0E C4 01 95 2B 0E 1B 00 00 02 F5 49 44 41 54 38 4F 9D 54 5D 48 14 51 14 9E 3B }
		$png_img_value_3 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 05 55 00 00 02 7D 08 02 00 00 00 BA A0 05 3D 00 00 00 06 62 4B 47 44 00 FF 00 FF 00 FF A0 BD A7 93 00 00 00 09 70 48 59 73 00 00 0E C3 00 00 0E C3 01 C7 6F A8 64 00 00 80 00 49 44 41 54 78 01 04 C1 3D 8E }
		$png_img_value_4 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 02 DF 00 00 01 5B 08 02 00 00 00 82 A1 75 C0 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00 FF CA 49 44 41 54 78 5E EC FD 77 97 1C C7 96 DE 0B 67 65 96 AF F6 DD E8 86 37 04 08 02 84 A1 3D 76 66 CE 68 AC E6 }
		$png_img_value_5 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 03 53 00 00 00 FC 08 06 00 00 00 92 1A FE 3A 00 00 00 01 73 52 47 42 00 AE CE 1C E9 00 00 00 04 67 41 4D 41 00 00 B1 8F 0B FC 61 05 00 00 00 09 70 48 59 73 00 00 0E C2 00 00 0E C2 01 15 28 4A 80 00 00 94 }
		$png_img_value_6 = { 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52 00 00 02 6E 00 00 01 2C 08 02 00 00 00 F5 B2 A8 BE 00 00 00 06 62 4B 47 44 00 FF 00 FF 00 FF A0 BD A7 93 00 00 80 00 49 44 41 54 78 DA EC FD F7 77 5B C7 96 3F 0A BE 7F 64 7E 98 79 6F DE 74 B8 D7 B6 98 90 33 98 }
	condition:
		any of them
}
Details Yara rule 1
rule xpack_loader {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2"
	strings:
		$s1 = "Length or Hash destoryed" wide fullword
		$s2 = "tag unmatched" wide fullword
		$s3 = "File size mismatch" wide fullword
		$s4 = "DESFile" wide fullword
		$p1 = "fomsal.Properties.Resources.resources" wide fullword
		$p2 = "xPack.Properties.Resources.resources" wide fullword
		$p3 = "foslta.Properties.Resources.resources" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($s*) or any of ($p*))
}
Details Yara rule 1
rule xpack_service {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66"
	strings:
		$s1 = "C:\\Windows\\inf\\wdnvsc.inf" wide fullword
		$s2 = "PackService" wide fullword
		$s3 = "xPackSvc" wide fullword
		$s4 = "eG#!&5h8V$" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of them
}